Commit Graph

1003 Commits

Author SHA1 Message Date
Nicolas 1c2d5e9b03 fix(actions): make artifact signature payloads unambiguous (#37707) (#37795)
This PR hardens artifact URL signing by encoding signature inputs in an
unambiguous binary payload before computing the HMAC.

What it changes:

- replace direct concatenation-style signing inputs with explicit
payload builders
- encode string fields with a length prefix before appending their bytes
- encode integer fields as fixed-width binary values instead of decimal
text
- apply the same hardening to both:
  - Actions Artifact V4 signing in `routers/api/actions/artifactsv4.go`
  - artifact download signing in `routers/api/v1/repo/action.go`
- add regression tests that verify distinct field combinations produce
distinct payloads and signatures

Why:

The previous signing logic built HMAC inputs by appending multiple
fields without a strongly structured representation. That kind of
construction can create ambiguity at field boundaries, where different
parameter combinations may serialize into the same byte stream for
signing.

This change removes that ambiguity by constructing a deterministic
payload format with explicit boundaries between fields.

Backport #37707

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-20 17:16:21 +00:00
Lunny Xiao a34eac5ef4 fix: Unify public-only token filtering in API queries and repo access checks (#37118) (#37773)
backport #37118 

This PR closes remaining `public-only` token gaps in the API by making
the restriction apply consistently across repository, organization,
activity, notification, and authenticated `/api/v1/user/...` routes.

Previously, `public-only` tokens were still able to:
- receive private results from some list/search/self endpoints,
- access repository data through ID-based lookups,
- and reach several authenticated self routes that should remain
unavailable for public-only access.

This change treats `public-only` as a cross-cutting visibility boundary:
- list/search endpoints now filter private resources consistently,
- repository lookups enforce the same restriction even when addressed
indirectly,
- and self routes that inherently expose or mutate private account state
now reject `public-only` tokens.

---
Generated by a coding agent with Codex 5.2

Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-19 15:38:51 +00:00
Giteabot 2bafa41554 fix(api): return 409 message instead of empty JSON for wrong commit id (#37572) (#37584)
Backport #37572 by @Exgene

## Issue
Closes #37217 

The error string was getting lost while returning due to `ctx.JSON()`
which cannot serialize the `error` object.

## Fix

Use `ctx.APIError()` to return proper error messages back to the client.

Co-authored-by: Kausthubh J Rao <105716675+Exgene@users.noreply.github.com>
2026-05-07 11:36:52 +02:00
Giteabot 68f5e40e46 fix(api): handle missing base branch in PR commits API (#37193) (#37203)
Backport #37193 by @Mohit25022005

fix(api): handle missing base branch in PR commits API

Closes #36366

Previously, the PR commits API returned a 500 Internal Server Error
when the base branch was missing due to an unhandled git "bad revision"
error.

This change:
- Checks for base branch existence before performing git operations
- Returns 404 when the base branch does not exist
- Prevents git errors from surfacing as 500 responses

This improves API robustness and aligns behavior with expected error
handling.

Tested locally by:
- Creating a pull request
- Deleting the base branch
- Verifying that the API returns 404 instead of 500

Co-authored-by: Mohit Swarnkar <mohitswarnkar13@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
2026-04-13 23:42:11 +02:00
Giteabot 789a3d3a4d fix(api): handle fork-only commits in compare API (#37185) (#37199)
Backport #37185 by @Mohit25022005

Fix 500 error when comparing branches across fork repositories

## Problem

The compare API returns a 500 Internal Server Error when comparing
branches where the head commit exists only in the fork repository.

## Cause

The API was using the base repository's GitRepo and repository context
when converting commits. This fails when the commit does not exist in
the base repository, resulting in a "fatal: bad object" error.

## Solution

Use the head repository and HeadGitRepo when available to ensure commits
are resolved in the correct repository context.

## Result

* Fixes "fatal: bad object" error
* Enables proper comparison between base and fork repositories
* Prevents 500 Internal Server Error

Fixes #37168

Co-authored-by: Mohit Swarnkar <mohitswarnkar13@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-04-13 18:01:44 +00:00
wxiaoguang 73e0e44298 Fix various problems (#37129)
* Fix #37128
    * Manually tested with various cases (issue, pr) X (close, reopen)
* Fix #36792
    * Fix the comment
* Fix #36755
    * Add a "sleep 3"
* Follow up #36697
    * Clarify the "attachment uploading" problem and function call

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
2026-04-08 01:17:05 +08:00
wxiaoguang 2c2d7e6f64 Fix various bugs (#37096)
* Fix #36001
* Fix #35498
* Fix #35395
* Fix #35160
* Fix #35058
* Fix #35445
2026-04-03 20:03:59 +00:00
Lunny Xiao 686d10b7f0 Fix a bug when forking a repository in an organization (#36950)
`CanCreateOrgRepo` should be checked before forking a repository into this organization.

---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-04-02 15:04:43 -07:00
Myers Carpenter c31e0cfc1c Expose content_version for optimistic locking on issue and PR edits (#37035)
- Add `content_version` field to Issue and PullRequest API responses
- Accept optional `content_version` in `PATCH
/repos/{owner}/{repo}/issues/{index}` and `PATCH
/repos/{owner}/{repo}/pulls/{index}` — returns 409 Conflict when stale,
succeeds silently when omitted (backward compatible)
- Pre-check `content_version` before any mutations to prevent partial
writes (e.g. title updated but body rejected)

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-30 13:44:32 +00:00
Myers Carpenter 2633f9677d Correct swagger annotations for enums, status codes, and notification state (#37030)
## ⚠️ BREAKING ⚠️

- delete reaction endpoints is changed to return 204 No Content rather
than 200 with no content.

## Summary

Add swagger:enum annotations and migrate all enum comments from the
deprecated comma-separated format to JSON arrays. Introduce
NotifySubjectStateType with open/closed/merged values. Fix delete
reaction endpoints to return 204 instead of 200.
2026-03-30 08:28:48 +08:00
Nicolas db7eb4d51b Fix issue label deletion with Actions tokens (#37013)
Use shared repo permission resolution for Actions task users in issue
label remove and clear paths, and add a regression test for deleting
issue labels with a Gitea Actions token.

This fixes issue label deletion when the request is authenticated with a
Gitea Actions token.
Fixes #37011 

The bug was that the delete path re-resolved repository permissions
using the normal user permission helper, which does not handle Actions
task users. As a result, `DELETE
/api/v1/repos/{owner}/{repo}/issues/{index}/labels/{id}` could return
`500` for Actions tokens even though label listing and label addition
worked.

---------

Co-authored-by: Codex <codex@openai.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-03-29 09:21:14 +00:00
ChristopherHX bc5c554072 Feature non-zipped actions artifacts (action v7) (#36786)
- content_encoding contains a slash => v4 artifact
- updated proto files to support mime_type and no longer return errors for upload-artifact v7
- json and txt files are now previewed in browser
- normalized content-disposition header creation
- azure blob storage uploads directly in servedirect mode (no proxying data)
- normalize content-disposition headers based on go mime package
  - getting both filename and filename* encoding is done via custom code

Closes #36829

-----

Signed-off-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-26 00:37:48 +08:00
ChristopherHX 0ab612f5ab Refactor storage content-type handling of ServeDirectURL (#36804)
* replace raw url.Values by *storage.ServeDirectOptions
* implement content-type in azblob
* implement content-disposition in azblob
* add tests for content types in response
* http.MethodPut for azure now allows implementing servedirect uploads

---------

Signed-off-by: ChristopherHX <christopher.homberger@web.de>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-21 21:26:13 -07:00
bircni b22123ef86 Feature: Add button to re-run failed jobs in Actions (#36924)
Fixes #35997

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-21 21:27:13 +00:00
Nicolas b3b2d111da Feature: Add per-runner “Disable/Pause” (#36776)
This PR adds per-runner disable/enable support for Gitea Actions so a
registered runner can be paused from picking up new jobs without
unregistering.

Disabled runners stay registered and online but are excluded from new
task assignment; running tasks are allowed to finish. Re-enabling
restores pickup, and runner list/get responses now expose disabled
state.

Also added an endpoint for testing
http://localhost:3000/devtest/runner-edit/enable

<img width="1509" height="701" alt="Bildschirmfoto 2026-02-27 um 22 13
24"
src="https://github.com/user-attachments/assets/5328eda9-e59c-46b6-b398-f436e50ee3da"
/>


Fixes: https://github.com/go-gitea/gitea/issues/36767
2026-03-16 10:24:36 -07:00
majianhan 877f091305 Fix typos in code comments: doesnt, dont, wont (#36890)
Fix missing apostrophes in contractions across multiple source files.

Changes:
- `doesnt` -> `doesn't` in `routers/api/v1/repo/git_ref.go` (2
occurrences)
- `dont` -> `don't` in `models/activities/notification_list.go`,
`modules/indexer/code/bleve/token/path/path.go`,
`routers/api/v1/repo/release.go`,
`services/migrations/gitea_downloader.go`,
`services/repository/contributors_graph.go`
- `wont` -> `won't` in `routers/api/v1/repo/issue_subscription.go`,
`models/issues/label_test.go`

Ref: #35015 (good first issues - improve English)

---------

Co-authored-by: majianhan <majianhan@kylinos.cn>
Co-authored-by: silverwind <me@silverwind.io>
2026-03-13 09:58:44 -07:00
Zettat123 385994295d Replace index with id in actions routes (#36842)
This PR migrates the web Actions run/job routes from index-based
`runIndex` or `jobIndex` to database IDs.

**⚠️ BREAKING ⚠️**: Existing saved links/bookmarks that use the old
index-based URLs will no longer resolve after this change.

Improvements of this change:
- Previously, `jobIndex` depended on list order, making it hard to
locate a specific job. Using `jobID` provides stable addressing.
- Web routes now align with API, which already use IDs.
- Behavior is closer to GitHub, which exposes run/job IDs in URLs.
- Provides a cleaner base for future features without relying on list
order.
- #36388 this PR improves the support for reusable workflows. If a job
uses a reusable workflow, it may contain multiple child jobs, which
makes relying on job index to locate a job much more complicated

---------

Signed-off-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-03-10 22:14:48 +01:00
silverwind 0724344a8a Fix CodeQL code scanning alerts (#36858)
Fixes 10 CodeQL code scanning alerts:

- Change `NewPagination`/`SetLinkHeader` to accept `int64` for total
count, clamping internally to fix incorrect-integer-conversion alerts
([#110](https://github.com/go-gitea/gitea/security/code-scanning/110),
[#114](https://github.com/go-gitea/gitea/security/code-scanning/114),
[#115](https://github.com/go-gitea/gitea/security/code-scanning/115),
[#116](https://github.com/go-gitea/gitea/security/code-scanning/116))
- Use `strconv.Atoi()` in `htmlrenderer.go` to avoid int64 intermediate
([#105](https://github.com/go-gitea/gitea/security/code-scanning/105),
[#106](https://github.com/go-gitea/gitea/security/code-scanning/106))
- Clamp regex match indices in `escape_stream.go` to fix
allocation-size-overflow
([#161](https://github.com/go-gitea/gitea/security/code-scanning/161),
[#162](https://github.com/go-gitea/gitea/security/code-scanning/162),
[#163](https://github.com/go-gitea/gitea/security/code-scanning/163))
- Cap slice pre-allocation in `GetIssueDependencies`
([#181](https://github.com/go-gitea/gitea/security/code-scanning/181))

---------

Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-08 14:35:50 +00:00
silverwind 761b9d439b Fix API not persisting pull request unit config when has_pull_requests is not set (#36718)
The `PATCH /api/v1/repos/{owner}/{repo}` endpoint silently ignores pull
request config fields (like `default_delete_branch_after_merge`,
`allow_squash_merge`, etc.) unless `has_pull_requests: true` is also
included in the request body. This is because the entire PR unit config
block was gated behind `if opts.HasPullRequests != nil`.

This PR restructures the logic so that PR config options are applied
whenever the pull request unit already exists on the repo, without
requiring `has_pull_requests` to be explicitly set. A new unit is only
created when `has_pull_requests: true` is explicitly sent.

Fixes https://github.com/go-gitea/gitea/issues/36466
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-03-02 22:08:53 +00:00
Nicolas 054eb6d8a5 feat: Add Actions API rerun endpoints for runs and jobs (#36768)
This PR adds official REST API endpoints to rerun Gitea Actions workflow
runs and individual jobs:

* POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/rerun
* POST /api/v1/repos/{owner}/{repo}/actions/runs/{run}/jobs/{job_id}/rerun

It reuses the existing rerun behavior from the web UI and exposes it
through stable API routes.

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-03-02 21:34:06 +00:00
Lunny Xiao 0e0daa8afe Delete non-exist branch should return 404 (#36694)
Fix #36682

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-02 11:08:16 -08:00
Lunny Xiao 716a800f50 Remove API registration-token (#36801)
Replace #36793

---------

Co-authored-by: ChristopherHX <christopher.homberger@web.de>
2026-03-02 10:31:42 -08:00
ChristopherHX bc9817b317 WorkflowDispatch api optionally return runid (#36706)
Implements
https://github.blog/changelog/2026-02-19-workflow-dispatch-api-now-returns-run-ids

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-01 11:58:16 -08:00
wxiaoguang 2c624d4deb Refactor avatar package, support default avatar fallback (#36788)
* Fix #34715
2026-03-01 13:32:35 +00:00
danigm d0f92cb0a1 Add created_by filter to SearchIssues (#36670)
This patch adds the created_by filter to the SearchIssues method.

tea cli has an option to filter by author when listing issues, but it's
not working. The tea command line creates this request for the API when
using the author filter:

```
$ tea issue list -l local --kind pull -A danigm -vvv http://localhost:3000/api/v1/repos/issues/search?created_by=danigm&labels=&limit=30&milestones=&page=1&state=open&type=pulls
```

This patch fixes the API to allow this kind of queries from go-sdk and
tea cli.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-02-26 11:56:02 +00:00
wxiaoguang 840cf68c3e Fix release draft access check logic (#36720)
1. remove hasRepoWriteScope to avoid abuse
2. clarify "ctx.Written" behavior
3. merge "read-only" tests to slightly improve performance
2026-02-25 20:59:29 +00:00
Lunny Xiao 1eced4a7c0 Fix get release draft permission check (#36659)
Draft release and it's attachments need a write permission to access.

---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-02-22 20:56:46 +00:00
TheFox0x7 eb59b1a24a various fixes (#36697)
fixes bad address concat causing malformed address
Introduces new config options to for release attachments and number of
files to avoid sharing limits for PR/issue attachments and release ones

Fixes: https://github.com/go-gitea/gitea/issues/31638
Fixes: https://github.com/go-gitea/gitea/issues/35812
Doc update: https://gitea.com/gitea/docs/pulls/348
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-22 08:01:43 +01:00
Lunny Xiao 5ad87616c9 Fix track time issue id (#36664) 2026-02-20 21:48:54 +00:00
Louis e2104a1dd5 Allow configuring default PR base branch (fixes #36412) (#36425)
This adds a per-repository default PR base branch and wires it through
PR entry points. It updates compare links and recently pushed branch
prompts to respect the configured base branch, and prevents auto-merge
cleanup from deleting the configured base branch on same-repo PRs.

## Behavior changes
- New PR compare links on repo home/issue list and branch list honor the
configured default PR base branch.
- The "recently pushed new branches" prompt now compares against the
configured base branch.
- Auto-merge branch cleanup skips deleting the configured base branch
(same-repo PRs only).

---------

Signed-off-by: Louis <116039387+tototomate123@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-02-07 01:34:29 +00:00
TheFox0x7 403a73dca0 Add paging headers (#36521)
Adds support for paging in admin/hooks api endpoint

fixes: https://github.com/go-gitea/gitea/issues/36516

---------

Co-authored-by: techknowlogick <techknowlogick@gitea.com>
Co-authored-by: techknowlogick <matti@mdranta.net>
2026-02-06 13:12:05 +00:00
Nicolas c2dea22926 Add resolve/unresolve review comment API endpoints (#36441)
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-01 12:28:28 +00:00
Copilot 072de7d8cd Unify repo names in system notices (#36491)
Fixes: https://github.com/go-gitea/gitea/issues/36211

This PR fixes ensures that all system notices consistently include
repository names in the format `"Action description (owner/repo): error
message"`.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: silverwind <115237+silverwind@users.noreply.github.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-02-01 17:06:57 +08:00
Kemal Zebari 56c5d5e819 Restrict branch naming when new change matches with protection rules (#36405)
Resolves #36381 by only allowing admins to perform branch renames that
match to branch protection rules.

---------

Co-authored-by: Giteabot <teabot@gitea.io>
2026-01-23 11:42:24 +01:00
TheFox0x7 69c5921d71 Add ability to download subpath archive (#36371)
closes: https://github.com/go-gitea/gitea/issues/4478

---------

Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-16 09:31:12 +00:00
Lunny Xiao 07ac29da32 Fix bug when compare in the pull request (#36363)
The pull request comparison should not use `direct compare`.
2026-01-14 16:56:23 +00:00
Lunny Xiao 95ea2df00a Add more check for stopwatch read or list (#36340) 2026-01-13 13:13:39 +00:00
Lunny Xiao c8b5a1ddf7 Fix cancel auto merge bug (#36341) 2026-01-12 13:47:06 -08:00
Lunny Xiao fbea2c68e8 Fix delete attachment check (#36320) 2026-01-12 08:16:59 +00:00
wxiaoguang eec8ee056c Fix some trivial problems (#36336)
1. correctly parse git protocol's "OldCommit NewCommit RefName" line, it
should be explicitly split by space
2. add missing "return" in CreatePullRequest
3. add comments for "/user.keys" and "/user.gpg" outputs
4. trim space for the "commit status context name" to follow the same
behavior of git_model.NewCommitStatus
2026-01-09 20:58:21 +02:00
Daniel Mach 1d01286f4c Add 'allow_maintainer_edit' API option for creating a pull request (#36283)
WebUI has a checkbox for enabling maintainer edits you can check right
away when creating a new pull request.
Also, it is possible to set `allow_maintainer_edit` in an existing pull
request via API.
This change enables the option while creating a new pull request via
API.

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-06 01:00:26 +08:00
Lunny Xiao 8373f7deb3 improve the compare page (#36261)
- The compare page head title should be `compare` but not `new pull
request`.
- Use `UnstableGuessRefByShortName` instead of duplicated functions
calls.
- Direct-compare, tags, commits compare will not display `New Pull
Request` button any more.

The new screenshot
<img width="1459" height="391" alt="image"
src="https://github.com/user-attachments/assets/64e9b070-9c0b-41d1-b4b8-233b96270e1b"
/>

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-01-01 10:32:19 -08:00
Lunny Xiao 776e406363 Refactor compare router param parse (#36105)
---------

Signed-off-by: Lunny Xiao <xiaolunwen@gmail.com>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: techknowlogick <techknowlogick@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-12-25 17:51:30 -08:00
Gregorius Bima Kharisma Wicaksana b6ffe0e4e9 refactor: extract helper functions from SearchIssues (#36158)
## Summary

This PR refactors the `SearchIssues` function in
`routers/api/v1/repo/issue.go` by extracting common logic into reusable
helper functions:

- `parseIssueIsClosed()`: Parses the "state" query parameter and returns
the corresponding `isClosed` option
- `parseIssueIsPull()`: Parses the "type" query parameter and returns
the corresponding `isPull` option
- `buildSearchIssuesRepoIDs()`: Builds the list of repository IDs for
issue search based on query parameters

### Benefits:
- Improved code readability
- Smaller, more focused functions
- Easier to test individual components
- Potential for reuse in other handlers

### Changes:
- Extracted 3 helper functions from the ~292 line `SearchIssues`
function
- No functional changes - behavior remains the same
- Proper error handling preserved

## Test plan
- [ ] Verify existing API tests pass
- [ ] Manual testing of `/repos/issues/search` endpoint

Ref: #35015

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-12-20 17:57:41 -08:00
Lunny Xiao efd5dd4f0b Fix bug when creating pull request (#36166)
Extract from #36105 

Fix #36116
Fix #35912
Fix #20906
2025-12-17 21:21:04 +00:00
Lunny Xiao a440116a16 Support updating branch via API (#35951)
Resolve #35368
2025-12-10 19:23:26 +00:00
Lunny Xiao 64960a18f9 Move commit related functions to gitrepo package (#35600) 2025-12-05 00:20:23 +00:00
Bryan Mutai 7d6861ac54 Add "Go to file", "Delete Directory" to repo file list page (#35911)
/claim #35898
Resolves #35898 

### Summary of key changes:

1. Add file name search/Go to file functionality to repo button row.
2. Add backend functionality to delete directory
3. Add context menu for directories with functionality to copy path & delete a directory
4. Move Add/Upload file dropdown to right for parity with Github UI
5. Add tree view to the edit/upload UI

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-11-30 11:58:15 +08:00
Lunny Xiao 62d750eadb Fix various permission & login related bugs (#36002)
Permission & protection check:

- Fix Delete Release permission check
- Fix Update Pull Request with rebase branch protection check
- Fix Issue Dependency permission check
- Fix Delete Comment History ID check

Information leaking:

- Show unified message for non-existing user and invalid password
    - Fix #35984
- Don't expose release draft to non-writer users.
- Make API returns signature's email address instead of the user
profile's.

Auth & Login:

- Avoid GCM OAuth2 attempt when OAuth2 is disabled
    - Fix #35510

---------

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2025-11-22 07:16:08 +00:00
Alberty Pascal c4c4cf5687 Use correct form field for allowed force push users in branch protection API (#35894)
Test was wrong and preventing update of force push allow users list by
the API

Resolves #35893

Signed-off-by: Alberty Pascal <github@albertyorban.be>
2025-11-09 21:23:46 +00:00